after reading a lot more of the documentation and checking out the config files, a few more questions (and i'm always open to pointers to *really* good pam tutorials :-). first, a question or two about the /etc/pam.d/system-auth file, reproduced here: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so the "likeauth" argument for pam_unix.so in the "auth" section doesn't seem to be documented, as far as i can see. any hint as to what it means? also, a number of the other config files use the "pam_stack.so" module to recurse into system-auth. given that the system-auth file lists all four module types, i'm assuming that the only ones that will be incorporated into the recursive call are those lines that match the module of the "calling line", if i can call it that. is this correct? it only makes sense, but the man page for "pam_stack" doesn't state it explicitly. rday
